Dialogues

Civil Liberties in Wartime 

Stewart Baker is head of the technology practice at Steptoe & Johnson, a former general counsel of the National Security Agency, and co-author of a book titled  The Limits of Trust: Cryptography, Governments, and Electronic Commerce. Eugene Volokhteaches constitutional law at UCLA School of Law and is the author of a textbook on the First Amendment and many law review articles on rights questions.This week they discuss specific security technologies that the U.S. government might adopt in the wake of recent terrorist attacks, and their effect on civil liberties. 

Dear Eugene,

We’ve been talking about civil liberties and about giving the police new wiretap powers to catch terrorists. In part, that’s a question about how much privacy we can afford in this new world. But partly it’s about how much we can trust the police. Today I’d like to talk about trust in two contexts.

1. First, Carnivore. Used properly, Carnivore wiretaps are no big deal from a privacy point of view. The police get a court order allowing them to intercept their target’s Internet communications. They attach Carnivore to a network, and it sorts through the contents of the network. Once the device has found the communications that are covered by the court order, it makes them available to the police. Carnivore raises some technical concerns, of course. Understandably, some network owners don’t want to put an unfamiliar device on their fragile systems, but I didn’t see a privacy problem with Carnivore.

As long as you trust the police to use it lawfully.

This was your point, and a good one. In the old days of Ma Bell, the police got the intercept orders, but it was the phone company that actually did a lot of the work when the tap was implemented. Their billing department matched the name to the phone number. Their technicians figured out what line went with what number and often hooked up the tap. I’m sure that the phone company did this mainly to protect the network from inadvertent harm. But putting the phone company in the middle also had a kind of civil liberties value—not so much by protecting privacy directly as by building trust in the system. A disinterested phone company technician wasn’t likely to get caught up in a desire to capture crooks at any cost. If the police wanted to do more than the court order allowed, the phone company was likely to balk.

As you point out, that safeguard is missing with Carnivore, which is typically programmed by the police. The Internet service providers or ISPs whose networks are tapped have much less control of the tap than the old phone companies did. I agree with you that it would be better to have a third party in the middle, and I’m glad that some ISPs and portals insist on using their own wiretap solutions rather than taking Carnivore off the shelf. But we should also remember the limits of this third-party check. ISPs are often new, financially strapped startups offering retail service for a fixed fee. They aren’t a regulated monopoly that can pass on wiretap costs to their customers. So the smaller companies are likely to adopt whatever wiretap solution looks quickest and cheapest. That’s why I think we make a mistake in trying to bring back the old Ma Bell model for Internet wiretaps. We ought to focus on other ways to make sure we can “trust but verify” how the police carry out wiretaps.

2. The trust issue, rather than direct privacy protection, is also at the heart of another issue that Attorney General Ashcroft has raised recently. He has been saying that wiretaps should follow the suspect, not the suspect’s phone. He wants more authority for “multipoint” or “roving” wiretaps. That way, if a target uses three or four different phones or buys a new phone from Wal-Mart during the investigation, the police will have authority to quickly activate a new tap of the suspect’s new phone. (Since a version of this authority already exists for criminal wiretaps, his proposal isn’t all that clear; he may simply want to expand the existing authority to cover foreign intelligence cases; we’ll have to await the details of his proposal to know for sure.)

Whatever the precise scope of the proposal, though, it’s hard to see a problem from a privacy point of view. In fact, you could say that this is a pro-privacy approach. In the old days, the police tapped land-line phones in the suspect’s house, which meant they listened to the suspect—and his wife, and his teen-age daughter, and the housekeeper calling home, and the neighbor who dropped by and needed to check his messages by phone. By focusing the tap on the suspect, we may actually be able to protect those other people’s privacy a little better.

As with Carnivore, the real issue is how much you are willing to trust the police. It’s not possible to build a technology that will identify the target automatically when he moves from phone to phone. The success of roving wiretaps will depend a lot on the police’s ability to identify which phones the suspect is using. Which means that the phone company will no longer be in the middle, using its billing records to help match the wiretap order to particular phones. Instead, the police will likely just tell the phone company to “Move the tap to 555-5692 now; that’s where the suspect is calling from.” The phone company can’t be sure that’s true. It has to trust the police.

In this area, too, my inclination is to give the police the authority to follow suspects as they move from phone to phone and then look for other ways to ensure that our trust is not abused. We can’t be naive. Police are human. Sometimes they get carried away with their job, and sometimes they misuse their powers. We need to have checks and audits. But I don’t think that we should assume, as too many civil libertarians do, that the police can never be trusted; nor should we insist on any single verification method. As technologies and industries change, so too should the methods we use to keep track of wiretaps. The automation of wiretaps can mean less need for third party intervention, but it also means that we can use the audit and logging functions of modern computers to know exactly which police officer did what at any time to the wiretap system—and to hold them accountable. Properly used, that technology should provide a better check on police abuses than trying to hang on to the old “Ma Bell in the middle” solution every time we are reluctant just to trust the police.